The report was based on recent findings from security firm
Hold Security, and the
Times described the breach as "the largest known collection of
stolen Internet credentials."

Newer reports, however, are skeptical of these claims. There are
numerous details that Hold Security has not disclosed, such as
whether or not the stolen data was encrypted (disguised as random
characters for privacy purposes), which companies and websites
had been affected by the attack, and which countries the
information had been stolen from.

What's more, Hold is charging a $120 subscription to their
services in order to see whether or not you've been affected by
the attack, as
Forbes pointed out.

Joe Siegrist, CEO of password management platform LastPass, said that this could make
Hold Security's findings seem suspicious. The fact that the firm
is charging users a fee to see if their data has been compromised
could be a red flag, but it's difficult to be sure without more
information.

"It's just not how most people with breaches would react," he
told Business Insider. "If you have this kind of data you want to
help people and not kind of capitalize on them. It's definitely a
little suspicious."

The timing is also coincidental, Siegrist said. Hacking experts
and security researchers are currently gathered at the Black Hat
USA security conference in Las Vegas. Another security conference
called Def Con kicks off tomorrow too. It could be a ploy to
generate buzz at a time when cyber security is already in the
news.

"If he really does have all these leaks, he should be letting
other security researchers look at it to help quantify what it
is," Siergist said.

There's one detail, however, that may make the attack seem more
massive than it might have been. CyberVor is believed to have
obtained these stolen credentials over an extended period of
time. As Hold Security
writes in its explanation of the situation, which
The Verge observed, the hacking ring gained data from other
cyber criminals on the black market before spreading its own
attacks.

This means the CyberVors could have purchased some of those 1.2
billion credentials from other hackers —so the collection of
credentials may not have entirely been the result of their
attack.

Thus, it may not make make sense to directly compare this
situation with the recent Target breach, in which hackers from
Easter Europe stole 40 million credit card numbers, as the Times
does in its story.

Although there are a lot of unanswered questions, here's a brief
overview of what we do know about the breach based on information
from Hold Security:

The gang is believed to have
amassed more than 1.2 billion unique password and username
combinations and more than 500,000 email
addresses.

The hacking ring is said to
have robbed 420,000 websites to obtain this
information.

The hackers have targeted
both small personal websites and large companies, but Hold
wouldn't disclose the names of any victims.

According to The New York
Times, some big companies are aware that their records have
been stolen.

The hackers are using botnets
to obtain this information. Botnets allow hackers to affect
thousands and thousands of computers with infected software
that allows them to remotely control the victimized
computer.

We've reached out to Hold
Security to answer some of these questions. We'll update this
article accordingly when we hear back.